Your staff are the target: defending against voice phishing

Attackers rarely build their way in anymore. They talk their way in. Voice phishing (vishing, if you want the jargon) has become the standard playbook for several well-organised criminal groups, and it’s been working reliably since early 2026. These aren’t random nuisance calls. They’re deliberate, researched, and aimed at businesses just like yours.

How the attack actually works

The caller sounds credible because they’ve done their homework. They have your company’s internal terminology, the names of real colleagues, accurate descriptions of your systems, all scraped from LinkedIn, your website, and public filings. They ring your staff claiming to be from IT support and ask for one of three things: login details, a tap-to-approve on your two-factor authentication app, or direct access to a system.

If they get what they want, they move quietly through your accounts, find the valuable stuff (customer records, financial files, contracts), copy it out, and then ask for money to keep it quiet. Some groups have gone further and contacted clients or suppliers directly to pile on the pressure.

If your business holds other people’s sensitive data, an accountancy firm, a legal practice, an HR consultancy, you’re a particularly attractive target. A compromised password at your end can unlock access to your clients’ systems too.

The parallel threat: breached data already in the wild

Separately, a breach at Carnival Corporation in April 2026 saw nearly 6 million records stolen, names, addresses, emails, passport numbers, loyalty account details. That data is now circulating. Phishing campaigns will use it to craft convincing lures, because a message that includes your real address and passport details is a lot harder to dismiss as a scam.

These two threats reinforce each other. Breached personal data makes voice phishing calls more convincing; a successful voice phishing call hands attackers the credentials to cause real damage.

What to do about it

The good news is that the defences aren’t complicated:

• Tell your staff that IT support will never ring asking for a password or an MFA approval. That one rule, if understood and followed, breaks the most common attack path.
• Use number-matching on your authentication app, so staff have to type in a code from the screen rather than just tapping approve. It’s a small friction that makes the attacker’s job much harder.
• Review who has access to what. If someone in accounts can log into systems they don’t use day-to-day, that’s unnecessary risk.
• Have a clear process for suspicious calls. Staff should be able to hang up, check internally, and call back on a known number, without feeling awkward about it. As we covered when looking at why MFA alone doesn’t stop voice-call scams, the approval button is only as safe as the person pressing it. Training and process matter as much as the technology.

If you’re also thinking about what happens after a credential gets stolen, one compromised Microsoft 365 account can unlock far more than people expect, worth understanding the blast radius before it becomes relevant.

Staff awareness is the single most effective control here, and it doesn’t require expensive software. Dragon Digital runs security awareness training and puts the right technical controls in place for businesses across North Wales, a good conversation to have before someone on your team gets a convincing call from “IT support”.